The news: Mark Zuckerberg finally broke his silence over a massive data scandal that had been festering for days. The furor was triggered by revelations that Cambridge Analytica (CA), a data-mining firm involved in the 2016 Trump election campaign, had gained unauthorized access to information about tens of millions of Facebook users.

The mea culpa: Although Zuckerberg blamed CA and Aleksandr Kogan, a researcher, for misleading the social network about whether they had deleted user data, he also admitted that the affair was “a breach of trust between Facebook and the people who share their data with us and expect us to protect it.”

Tip of a data iceberg: Zuckerberg said Facebook will conduct an audit of all apps that accessed large amounts of customer data before it tightened access rules in 2014, investigate those that engaged in suspicious activity, and ban them if they have broken its rules. It plans to tell customers whose data was abused.

Developer crackdown: The social network will also restrict the data developers can access when someone signs up to an app, and revoke access to data in any app that hasn’t been used for three months. Developers will also have to sign a digital contract with a user to get access to data beyond a name, profile photo, and e-mail address. Zuckerberg said Facebook also plans to let users see what apps are using their data and to control permissions directly from their News Feed. Right now, such tools are buried more deeply in Facebook’s privacy controls.

Too late and too little: There are still plenty of unanswered questions, such as why Facebook failed to report Cambridge Analytica’s failure to delete user data when it learned about if from journalists in 2015. Why weren’t the steps outlined above—and more—taken then rather than years later? And there’s still a deeply worrying lack of transparency over exactly how Facebook—and third parties—use customers’ data to target advertising and other services. Zuckerberg’s steps are the equivalent of applying a Band-Aid to a massive, festering wound that requires serious surgery to fix it—assuming that’s even possible given the contradictions inherent in Facebook’s surveillance-driven business model.

Martin GilesI am the San Francisco bureau chief of MIT Technology Review, where I cover the future of computing and the companies in Silicon Valley that are shaping it. Before joining the publication, I led research and publishing at a venture capital firm focused on business technology. Prior to that, I worked for The Economist for many years as a reporter and editor, most recently as the paper’s West Coast-based tech writer.

Martin GilesI am the San Francisco bureau chief of MIT Technology Review, where I cover the future of computing and the companies in Silicon Valley that are shaping it. Before joining the publication, I led research and publishing at a venture capital firm focused on business technology. Prior to that, I worked for The Economist for many years as a reporter and editor, most recently as the paper’s West Coast-based tech writer.

Sign up for The Download — your daily dose of what's up in emerging technology